-### Verification of sender address.
-
-SECTION(global, acl)m4_dnl
-acl_not_smtp_start = not_smtp_start
-SECTION(acl, misc)m4_dnl
-not_smtp_start:
- ## Record the user's name.
- warn set acl_c_user = $sender_ident
-
- ## Done.
- accept
-
-SECTION(acl, mail-hooks)m4_dnl
- ## Check that a submitted message's sender address is allowable.
- require acl = mail_check_auth
-
-SECTION(acl, misc)m4_dnl
-mail_check_auth:
-
- ## If this isn't a submission then it doesn't need checking.
- accept condition = ${if !eq{$acl_c_mode}{submission}}
-
- ## If the caller hasn't formally authenticated, but this is a
- ## loopback connection, then we can trust identd to tell us the right
- ## answer. So we should stash the right name somewhere consistent.
- warn set acl_c_user = $authenticated_id
- hosts = +localnet
- !authenticated = *
- set acl_c_user = $sender_ident
-
- ## User must be authenticated.
- deny message = Sender not authenticated
- !hosts = +localnet
- !authenticated = *
-
- ## Make sure that the local part is one that the authenticated sender
- ## is allowed to claim.
- deny message = Sender address forbidden to calling user
- !condition = ${LOOKUP_DOMAIN($sender_address_domain,
- {${if and {{match_local_part \
- {$acl_c_user} \
- {+dom_users}} \
- {match_local_part \
- {$sender_address_local_part} \
- {+dom_locals}}}}},
- {${if and {{match_local_part \
- {$sender_address_local_part} \
- {+user_extaddr}} \
- {or {{eq {$sender_address_domain} \
- {}} \
- {match_domain \
- {$sender_address_domain} \
- {+public}}}}}}})}
-
- ## All done.
- accept
-
-DIVERT(null)
-###--------------------------------------------------------------------------